When Dfend receives threat intelligence relevant to your organization, it creates an alert. Once you’ve been notified about an alert either by email or via a Slack message, what should you do?
Responding to an Alert within Dfend
Log in to Dfend and you’ll see a list of your new alerts, with the newest alerts at the top. From this dashboard you can click on the alert to see more detail, or mark the alert as “Done” or “Ignored”.
Understanding your Alert
Clicking on alert will show you more detail, which the Dfend team have prepared to be easily understood and actionable.
The alert type helps you understand what the alert is about. Here are some Alert Types you might see, and what they mean:
- Breach - the technology in question has had an information disclosure event, potentially putting the data you store with them at risk.
- Potential Attack - the organization appears to be under attack (for example, by a Denial of Service attack), or there is a credible and imminent attack which may affect your information security.
- Change to Best Practice - the organization has issued new guidance on how best to use their software.
- Software Update - a new feature or version of the software is available, and these updates will have an impact or improvement to your security. (We won’t alert on non-security related software updates).
- Change to Policy or License - a modification or new policy has been introduced which may have an impact to your information security or compliance requirements.
- Change to Company - the company has changed somehow (e.g. been acquired, announced a product shutdown, etc).
Dfend will use four different severity states which give guidance on how risky we think the event is. There is the traditional Low, Medium, and High, as well as Informational which Dfend uses when the alert doesn’t present any risk to your organization now, but may mitigate future vulnerabilities.
Dfend will suggest our recommended action to take, given the likely impact and severity of the event. These suggested actions might include:
- Standby - the event is still ongoing or insufficient information is available for Dfend to be able to suggest an action.
- Do Nothing - the event requires no immediate action.
- Check for Compromise - review your systems for indicators of compromise.
- Review Information - the event may or may not affect you, so review the information to ascertain your individual risk.
- Change Passwords - change any and all passwords used to access this service, and any other services where the same or similar credentials were used.
- Initiate Incident Response - this event requires immediate action from your organization, so we recommend using your Incident Response Plan to manage this process.
- Remain Vigilant - this event may be ongoing, imminent, or under investigation, and requires you keep a careful eye out for future alerts from Dfend, the service in question, and your own logging and monitoring systems. You may wish to notify your staff to ensure their vigilance.
- Update or Patch Software - determine the risk to your organization, and update or patch your software in a timeframe matching the risk presented (e.g. immediately for Critical risk, within 24 hours for High risk, etc)
Regardless of our recommended action, your response might be different. We talk about how to respond within your organization below.
The team at Dfend will summarize the event and give you a plain English recommendation on how to respond.
Links to the organization, their support channels, and their help documentation are provided for quick reference.
After responding to an alert, you can tell Dfend about it using the following three options
- New - these alerts remain on your Dashboard.
- Ignored - when an alert was irrelevant, you can mark it as ignored.
- Done - you’ve responded to the alert and completed any follow up actions.
Responding to an Alert from Slack
When you’re using Dfend with Slack notifications, you can take action from right within Slack! You’ll get all the information discussed above, and can click “Done” or “Ignore”. Read more about using Dfend with Slack.
Using Dfend alerts is straightforward, but you’ll also need to figure out how to respond within your organization. This is usually done by creating an Incident Response Plan, and making sure staff know how to use it. The Australian government’s Signal Directorate has written an article titled Preparing for and Responding to Cyber Security Incidents, which might provide a good starting point.
- The Technologies page lists the hundreds of cloud services and technologies Dfend can monitor for you. Learn more about monitoring your cloud services
- The Domains page is where you can set up and review details on domains which look similar to yours. Learn how to manage your Domains
- Need to update your account, notification preferences, or see your audit log? Visit the Settings page.
- Upgrade your Dfend account to monitor more technologies and domains, and unlock Slack notifications.